Main Content

Security Defects

Defects related to security weaknesses and vulnerabilities

These defects highlight places in your code which are vulnerable to hacking or other security attacks. Many of these defects do not cause runtime errors, but instead point out risky areas in your code. The defects include:

  • Managing sensitive data

  • Using dangerous or obsolete functions

  • Generating random numbers

  • Externally controlled paths and commands

Polyspace Results

expand all

File access between time of check and use (TOCTOU)File or folder might change state due to access race
File descriptor exposure to child processCopied file descriptor used in multiple processes
File manipulation after chroot without chdirPath-related vulnerabilities for file manipulated after call to chroot
Inappropriate I/O operation on device filesOperation can result in security vulnerabilities or a system failure
Unsafe call to a system functionUnsanitized command argument has exploitable vulnerabilities
Use of non-secure temporary fileTemporary generated file name not secure
Vulnerable path manipulationPath argument with /../, /abs/path/, or other unsecure elements
Bad order of dropping privilegesDropped higher elevated privileges before dropping lower elevated privileges
Privilege drop not verifiedAttacker can gain unintended elevated access to program
Umask used with chmod-style argumentsArgument to umask allows external user too much control
Vulnerable permission assignmentsArgument gives read/write/search permissions to external users
Unsafe standard encryption functionFunction is not reentrant or uses a risky encryption algorithm
Unsafe standard functionFunction unsafe for security-related purposes
Use of dangerous standard functionDangerous functions cause possible buffer overflow in destination buffer
Use of obsolete standard functionObsolete routines can cause security vulnerabilities and portability issues
LDAP injectionData read from an untrusted source is used in the construction of an LDAP query (Since R2023a)
SQL injectionData read from an untrusted source is used in the construction of an SQL query (Since R2023a)
Deterministic random output from constant seedSeeding routine uses a constant seed making the output deterministic
Predictable random output from predictable seedSeeding routine uses a predictable seed making the output predictable
Vulnerable pseudo-random number generatorUsing a cryptographically weak pseudo-random number generator
Critical data member is not privateA critical data member is declared public (Since R2022a)
Errno not checkederrno is not checked for error conditions following function call
Execution of a binary from a relative path can be controlled by an external actorCommand with relative path is vulnerable to malicious attack
Function pointer assigned with absolute addressConstant expression is used as function address is vulnerable to code injection
Hard-coded sensitive dataSensitive data is exposed in code, for instance as string literals (Since R2020a)
Incorrect order of network connection operationsSocket is not correctly established due to bad order of connection steps or missing steps
Information leak via structure paddingPadding bytes can contain sensitive information
Load of library from a relative path can be controlled by an external actorLibrary loaded with relative path is vulnerable to malicious attacks
Mismatch between data length and sizeData size argument is not computed from actual data length
Missing case for switch conditionswitch variable not covered by cases and default case is missing
Misuse of readlink()Third argument of readlink does not leave space for null terminator in buffer
Plain text password stored in file systemPassword stored in files in plain text format (Since R2023b)
Resource injectionData input is not properly restricted before being used as a resource identifier (Since R2024a)
Returned value of a sensitive function not checkedSensitive functions called without checking for unexpected return values and errors
Sensitive data printed outFunction prints sensitive data
Sensitive heap memory not cleared before releaseSensitive data not cleared or released by memory routine
Uncertain memory cleaningThe code clears information that might be sensitive from memory but compiler optimization might leave the information untouched (Since R2022a)
Uncleared sensitive data in stackVariable in stack is not cleared and contains sensitive data

Topics

  • Bug Finder Defect Groups

    The Bug Finder defect checkers are classified into groups such as data flow, concurrency, numerical, and so on.